{"id":18436033,"url":"https://github.com/ossf/census","last_synced_at":"2025-08-23T23:19:57.523Z","repository":{"id":26256929,"uuid":"29704114","full_name":"ossf/census","owner":"ossf","description":"📜Automated review of open source software projects","archived":false,"fork":false,"pushed_at":"2024-12-06T19:29:08.000Z","size":32640,"stargazers_count":117,"open_issues_count":26,"forks_count":30,"subscribers_count":26,"default_branch":"main","last_synced_at":"2025-06-03T14:44:39.675Z","etag":null,"topics":["analysis","census","metrics","oss","statistics"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog.txt","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-01-22T22:40:53.000Z","updated_at":"2025-04-04T04:32:52.000Z","dependencies_parsed_at":"2024-12-24T22:42:49.483Z","dependency_job_id":"62eb7ada-b714-4345-b2cb-8c2304674b6b","html_url":"https://github.com/ossf/census","commit_stats":null,"previous_names":["ossf/census","coreinfrastructure/census"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/ossf/census","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fcensus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fcensus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fcensus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fcensus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/census/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fcensus/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266592183,"owners_count":23953109,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","census","metrics","oss","statistics"],"created_at":"2024-11-06T06:09:59.665Z","updated_at":"2025-07-23T00:04:49.325Z","avatar_url":"https://github.com/ossf.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/428/badge)](https://bestpractices.coreinfrastructure.org/projects/428)\n\n# Core Infrastructure Initiative Census (aka Census I)\n\nThis project contains programs and documentation to help identify\nopen source software (OSS) projects that may need additional investment\nto improve security, by combining a variety of quantitative metrics\nto estimate risk.\n\nYou can see the final report derived from this work,\n\u003ca href=\"https://openssf.org/resources/census-i-whitepaper-open-source-software-needing-security-investments/\" \u003e\"Open Source Software Needing Security Investments\" (aka \"Census I\") by David A. Wheeler and Samir Khakimov (June 2015)\u003c/a\u003e,\nvia\n\u003ca href=\"https://openssf.org/resources/census-i-whitepaper-open-source-software-needing-security-investments/\"\u003eOpenSSF\n(the successor to the Core Infrastructure Initiative (CII))\u003c/a\u003e\u003ca\nhref=\"https://openssf.org/programs/census-program-i/\"\u003e*\u003c/a\u003e or via\n\u003ca href=\"https://www.ida.org/research-and-publications/publications/all/o/op/open-source-software-projects-needing-security-investments\"\u003eIDA\u003c/a\u003e.\nThere has been follow-on work, so this final 2015 report is often\nretroactively referred to as \"Census I\".\n\nFor a more recent related report, see the \u003ca href=\"https://www.linuxfoundation.org/research/census-iii\"\u003eCensus III of Free and Open Software\u003c/a\u003e\nreport by Frank Nagle, Kate Powell, Richie Zitomer, and David A. Wheeler (December 2024) along with its \u003ca href=\"https://data.world/login?next=%2Fthelinuxfoundation%2F\"\u003edata set available on data.world from the Linux Foundation\u003c/a\u003e (\u003ca href=\"https://data.world/thelinuxfoundation/census-iii-of-free-and-open-source-software\"\u003edirect link to dataset, must be logged in to data.world\u003c/a\u003e).\n\nKey files include in this project are:\n\n* [OSS-2015-06-19.pdf](OSS-2015-06-19.pdf): Detailed documentation about this work.\n* [projects_to_examine.csv](projects_to_examine.csv): CSV file listing OSS projects to be examined, as well as data that requires human input\n* [oss_package_analysis.py](oss_package_analysis.py): Python program that reads projects_to_examine.csv to determine the OSS projects to examine.  It gathers data from a variety of data sources, caching where it can. It produces [results.csv](results.csv).\n* [results.csv](results.csv): CSV file listing OSS projects and related metrics.\n* [by_inst](by_inst): Debian popularity statistics from http://popcon.debian.org/by_inst (you can get this from http://popcon.debian.org/ by selecting \"Statistics for the whole archive sorted by fields\").\n\nThe Python analysis program is released under the MIT license and requires [BeautifulSoup](http://www.crummy.com/software/BeautifulSoup/) to work. The program requires an [API key](https://github.com/blackducksw/ohloh_api#api-key) from Black Duck Open Hub to work.\n\nThe documentation is released under the Creative Commons CC-BY license.\n\nSome supporting data was sourced from the Black Duck Open HUB (formerly Ohloh), a free online community resource for discovering, evaluating, tracking and comparing open source code and projects.  We thank Black Duck for the data!\n\n# Description of this project\n\nThe Heartbleed vulnerability in OpenSSL highlighted that while some open source\nsoftware (OSS) is widely used and depended on, vulnerabilities can have\nserious ramifications, and yet some projects have not received the level of\nsecurity analysis appropriate to their importance. Some OSS projects have many\nparticipants, perform in-depth security analyses, and produce software that is\nwidely considered to have high quality and strong security. However, other\nOSS projects have small teams that have limited time to do the tasks necessary\nfor strong security. The trick is to identify which critical projects\nfall into the second bucket.\n\nWe have focused on automatically gathering metrics, especially those that\nsuggest less active projects. We also provided a human estimate of the\nprogram's exposure to attack, and developed a scoring system to heuristically\ncombine these metrics. These heuristics identified especially plausible\ncandidates for further consideration. For our initial set of projects to\nexamine, we took the set of packages installed by Debian base and added a set\nof packages that were identified as potentially concerning.\n\n# Collaboration\n\nThis is not currently an active project. We provide this repository\nso others can examine exactly what was done, and possibly use this\nas a starting point for further analysis.\n\nWhen it was active, we invited contributors to contribute via:\n\n* [pull request](https://github.com/linuxfoundation/cii-census/pulls) -\n  if you have a specific change to propose in the documentation, code, or data.\n  We prefer these, since these are easy to merge and show\n  exactly what the proposer has in mind.\n* [issue](https://github.com/linuxfoundation/cii-census/issues) -\n  if you have an idea or bug report (but no specific change to pull).\n* [mailing list](https://lists.coreinfrastructure.org/mailman/listinfo/cii-census) - for general discussion of this project.\n\nHere are some examples of things you could do:\n\n* try different metrics and heuristics. Send us pull\n  requests for the ones that you find experimentally make the most sense.\n* try different data sources.\n* review the data in projects_to_examine.csv and send corrections and elaborations.\n* suggest more projects to consider in the future.\n* mention additional relevant literature in the field.\n\nChanges to the Python code should generally comply with\n[Python PEP 8](https://www.python.org/dev/peps/pep-0008/)\nbut use 2 spaces per indentation level.\nChanges must pass \"make analyze\" (which runs the static analysis tool pyflakes)\nand \"make test\" (which runs the automated test suite).\nChanges that add major new functionality *must* extend the automated test\nsuite as necessary to cover it.\nWe use the \"-t\" and \"-3\" warning flags (\"-3\" detects some Python 2/3 problems).\n\nIn the future we hoped to add using an additional static analysis tool,\npylint.  So changes shouldn't add new pylint reports,\nand fixing pylint reports is welcome\n(you can see them by running \"make pylint\").\nIt's written in Python2, but the goal is to avoid any construct that\n2to3 can't automatically fix.\n\n# Background\n\nThis work was sponsored by the Linux Foundation's [Core Infrastructure Initiative](https://www.coreinfrastructure.org/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fcensus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Fcensus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fcensus/lists"}